A soon-to-be-released government audit (Now public, see update below) says the Navy, in an attempt to reduce costs, let down its guard to risks posed by outside contractors at the Washington Navy Yard and other facilities, a federal official with access to the report tells TIME.

The Navy “did not effectively mitigate access-control risks associated with contractor-installation access” at Navy Yard and other Navy installations, the report by the Department of Defense Inspector General’s office says. Parts of the audit were read to TIME by a federal official with access to the document.

The risks resulted from an attempt by Navy officials “to reduce access-control costs,” the report finds.

The audit comes as questions are emerging about how the alleged perpetrator, or perpetrators, of the attack at Navy Yard in Washington on Monday gained access to the facility. At least 13 people are dead in the attack, including the alleged attacker, Aaron Alexis.

Alexis had been working for a company that computer giant Hewlett-Packard hired to help maintain the Navy Marine Corps Intranet, basically the sea service’s in-house Internet. According to a statement from the company, Alexis was employed by The Experts, an entity helping Hewlett-Packard maintain the network. The Federal Bureau of Investigation confirms that Alexis gained access to the Navy Yard with a valid pass obtained as part of his work as a contractor. Alexis had been arrested at least twice in gun-related incidents but wasn’t charged either time.

The audit shows a history of those with criminal records managing to bypass the Navy’s security. Fifty-two “convicted felons received routine unauthorized installation access, placing military personnel, attendants, civilians in installations at an increased security risk,” according to the audit.

The Pentagon inspector general began the audit in September 2012, and in August 2013 posted an update to its website reporting that it was expected to be released within the next 30 days.

Last month’s Pentagon inspector-general newsletter said the audit was intended to determine if “the Navy Commercial Access Control System [NCACS] is mitigating access-control risks to Navy installations.” That was the system restricting access to Navy Yard.

The contractor responsible for the NCACS did not immediately respond to requests for comment. The audit will be released “shortly,” says a spokeswoman for the Inspector General’s office.

— With reporting by Mark Thompson

UPDATE

A previous version of this story asserted that it was unclear how Aaron Alexis obtained the ID card to get access to the Navy Yard building, citing an AP report. After the article was published, the FBI told TIME and other publications that Alexis obtained a valid pass as part of his work as a contractor. The article has been updated with the new information.